I want to show you just one way that hackers can get in to your website and mess it up, using a technique called SQL Injection. And then I'll show you how to fix it. This article touches on some technical topics, but I'll try to keep things as simple as possible. There are a few very short code examples written in PHP and SQL. These are for the techies, but you don't have to fully understand the examples to be able to follow what is going on. Please also note that the examples used are extremely simple, and Real Hackers™ will use many variations on the examples listed.If your website doesn't use a database, you can relax a bit; this article doesn't apply to your site — although you might find it interesting anyway. If your site does use a database, and has an administrator login who has rights to update the site, or indeed any forms which can be used to submit content to the site — even a comment form — read on.
Warning
This article will show you how you can hack in to vulnerable websites, and to check your own website for one specific vulnerability. It's OK to play around with this on your own site (but be careful!) but do not be tempted to try it out on a site you do not own. If the site is properly managed, an attempt to log in using this or similar methods will be detected and you might find yourself facing charges under the Computer Misuse Act. Penalties under this act are severe, including heavy fines or even imprisonment.
What is SQL Injection?
SQL stands for Structured Query Language, and it is the language used by most website databases. SQL Injection is a technique used by hackers to add their own SQL to your site's SQL to gain access to confidential information or to change or delete the data that keeps your website running. I'm going to talk about just one form of SQL Injection attack that allows a hacker to log in as an administrator - even if he doesn't know the password.
Is your site vulnerable?
If your website has a login form for an administrator to log in, go to your site now, in the username field type the administrator user name.
In the password field, type or paste this:
x' or 'a' = 'a
If the website didn't let you log in using this string you can relax a bit; this article probably doesn't apply to you. However you might like to try this alternative:
x' or 1=1--
Or you could try pasting either or both of the above strings into both the login and password field. Or if you are familiar with SQL you could try a few other variations. A hacker who really wants to get access to your site will try many variations before he gives up.
If you were able to log in using any of these methods then get your web tech to read this article, and to read up all the other methods of SQL Injection. The hackers and "skript kiddies" know all this stuff; your web techs need to know it too.
The technical stuff
If you were able to log in, then the code which generates the SQL for the login looks something like this:
$sql =
"SELECT * FROM users
"WHERE username = '" . $username .
"' AND password = '" . $password . "'";
When you log in normally, let's say using userid admin and password secret, what happens is theadmin is put in place of
$username
and secret is put in place of $password
. The SQL that is generated then looks like this:SELECT * FROM users WHERE username = 'admin' and PASSWORD = 'secret'
But when you enter
x' or 'a' = 'a
as the password, the SQL which is generated looks like this:SELECT * FROM users WHERE username = 'admin' and PASSWORD = 'x' or 'a' = 'a'
Notice that the string:
x' or 'a' = 'a
has injected an extra phrase into the WHERE clause: or 'a' = 'a'
. This means that the WHERE is always true, and so this query will return a row contain the user's details.If there is only a single user defined in the database, then that user's details will always be returned and the system will allow you to log in. If you have multiple users, then one of those users will be returned at random. If you are lucky, it will be a user without administration rights (although it might be a user who has paid to access the site). Do you feel lucky?
How to defend against this type of attack
Fixing this security hole isn't difficult. There are several ways to do it. If you are using MySQL, for example, the simplest method is to escape the username and password, using themysql_escape_string() or mysql_real_escape_string() functions, e.g.:
$userid = mysql_real_escape_string($userid);
$password = mysql_real_escape_string($password);
$sql =
"SELECT * FROM users
"WHERE username = '" . $username .
"' AND password = '" . $password . "'";
Now when the SQL is built, it will come out as:
SELECT * FROM users WHERE username = 'admin' and PASSWORD = 'x\' or \'a\' = \'a'
Those backslashes ( \ ) make the database treat the quote as a normal character rather than as a delimiter, so the database no longer interprets the SQL as having an OR in the WHERE clause.
This is just a simplistic example. In practice you will do a bit more than this as there are many variations on this attack. For example, you might structure the SQL differently, fetch the user using the user name only and then check manually that the password matches or make sure you always use bind variables (the best defence against SQL injection and strongly recommended!). And you should always escape all incoming data using the appropriate functions from whatever language your website is written in - not just data that is being used for login.
If you know you not are ready for a relationship why get into one and still cheat and liar. I and my wife has been married for some years now,Lately she has been hiding her phone from me and keeping Late nights. I was curious about her cheating on me.I had no proof and no one to run to.I contacted a Private investigator who linked me up with Mr James(worldcyberhackers@gmail.com) via email. He understood me well and helped me spy on my cheating wife.He gave me the password to my wife's Gmail and Facebook account and linked all my spouse WhatsApp and phone conversation to me, to find out the truth. He showed me proof of work and I just want to openly say thank you. Contact him today if you need help. Worldcyberhackers@gmail.com
ReplyDeleteIf you need to boost your credit score permanently, hack your spouse or employees' cell remotely, I would suggest you visit the contact info below:
ReplyDeleteEmail: finessehackers1@gmail.com
Website: finessehackers.com
They were very helpful in boosting my score and this gave me access to a mortgage, they're highly recommendable.
My husband and i got Married last 3 year and we have been living happily for a while. We used to be free with everything and never kept any secret from each other until recently everything changed when he got a new Job in NewYork 2 months ago.He has been avoiding my calls and told me he is working,i got suspicious when i saw a comment of a woman on his Facebook Picture and the way he replied her. I asked my husband about it and he told me that she is co-worker in his organization,We had a big argument and he has not been picking my calls,this went on for long until one day i decided to notify my friend about this and that was how she introduced me to Mr James a Private Investigator who helped her when she was having issues with her Husband. I never believed he could do it but until i gave him my husbands Mobile phone number. He proved to me by hacking into my husbands phone. where i found so many evidence and proof in his Text messages, Emails and pictures that my husband has an affairs with another woman.i have sent all the evidence to our lawyer.I just want to thank Mr James for helping me because i have all the evidence and proof to my lawyer,I Feel so sad about infidelity. i contacted him on gmail (worldcyberhackers)
ReplyDeleteSelling USA FRESH SSN Leads/Fullz, along with Driving License/ID Number with good connectivity.
ReplyDelete**PRICE FOR ONE LEAD/FULLZ 2$**
All SSN's are Tested & Verified. Fresh spammed data.
**DETAILS IN LEADS/FULLZ**
->FULL NAME
->SSN
->DATE OF BIRTH
->DRIVING LICENSE NUMBER
->ADDRESS WITH ZIP
->PHONE NUMBER, EMAIL
->EMPLOYEE DETAILS
->Bulk order negotiable
->Minimum buy 25 to 30 leads/fullz
->Hope for the long term business
->You can asked for specific states too
**Contact 24/7**
Whatsapp > +923172721122
Email > leads.sellers1212@gmail.com
Telegram > @leadsupplier
ICQ > 752822040
I suspected my husband of cheating on me but I never had any proof. This went on for months, I didn't know what to do. i was so paranoid and decided to find a solution, i saw a recommendation about a PI/Hacker and decided to contact him. I explained the situation about my husband to him and he said he was going to help me.I gave him all the informations he required and afterwards i received all my husband’s phones Text messages and calls, I was hurt when i saw a picture of my husband and his lover. I feel so bad about infidelity. but i am glad Mr James was able to help me get all this information, you can contact him through Gmail : Worldcyberhackers or WhatsApp: +1 (267) 877‑3020, if you need help. infidelity hurts so much
ReplyDelete